Check Point VPN-1/FireWall-1

Basic License Features of Check Point R70 and above

AERAsec Network Services and Security GmbH

This page is about the basic license features of Check Point R7x Software Blades

This document gives an idea about licensing the software Check Point R70 and above. No warranty at all!
Currently no explanation of licenses for Check Point Hardware Appliances.
For details and prices please contact Check Point or your local reseller or us if you want us to be your new reseller.

Usually, people have a string describing the license - but not everybody knows, what this license string means exactly. A look in the file $CPDIR/conf/cp.macro doesn't help always, because here is only the interpretation of the license string to the license features done.
Further information about this topic is avilable upon request. This document covers Check Point R70 and above. For other versions like e.g.NG AI, NGX or even R70, please refer to the corresponding page

Please be aware that licensing is per Gateway, no more per Site. A Cluster consists of e.g. two Gateways. So when using a Service Blade like IPS, each system has to be licensed with this blade.

For information about the new licensing scheme for Endpoint Security, please follow this link.

 

General overview

To work with Check Point R7x longer than two weeks, you will need a corresponding license. In many cases, a license bundle containing the management solution as well as one firewall is purchased. You can also buy a Security Management (CPSM, mandatory) and the needed licenses for the Security Gateway(s) (CPSG). Be sure to order the correct size of CPSM! Additionally, you can obtain licenses for additional Software Blades which offer different security enhancements. 
In general, there is a difference between "one time licensing" for licenses which going to be used permanently for Management or Security Gateway (at least CES Support required) and "service licenses" which need to be renewed every year (e.g. updates for Anti-Virus, IPS, DLP or URL Filtering). 

When obtaining a license, you will get a Certificate Key (CK), which isn't really a license. By entering this CK in your account at the Check Point's UserCenter, you will get the "real license" which needs to be imported to the SmartCenter (or the Firewall, when still using local licensing).

The CK is generated when you have placed your order for the license(s) you need. In general, an order key has different parts:

  1. CPSG
    Product family
  2. C101
    Product sub-family
  3. HA
    when a license is for High Availability only, this suffix is used.

 
1. Product Family

Here you find a collection of the main product families. Basically, these are Gateway and Management components. Further on, software extensions are available as Security Blades (available for Gateway as well as Management) and hardware appliances by Check Point. 

CPAP  
Check Point Hardware Appliance

CPSB
Check Point Security Blade (Software Module)

CPSG
Check Point Security Gateway (e.g. Firewall)

CPSM
Check Point Security Management (e.g. SmartCenter)

 
2. Product sub-familiy

To configure a firewall, you will need a management component (CPSM-xxx) as well as a gateway component (CPSG-xxx or CPAP-SGxxx). Bundles are available also. So these steps are necessary to select the correct licenses:

- Decide if a bundle of management and gateway fits your needs. 
   - Select the corresponding Management and Gateway bundle 
   - Select additional Security Management Blades, optional
   - Select additional Security Gateway Blades, optional
   - Select additional Security Gateway Service Blades, optional

- Decide if pre-defined systems are ok for you. In this case, you can choose
   - one Security Management Software Pre-defined system
   - Select additional Security Management Blades, optional
   - one Security Gateway pre-defined system
   - Select additional Security Gateway Blades, optional
   - Select additional Security Gateway Service Blades, optional

- If an individual licensing is ok for you, take these steps:
   - Select a Security Managemenet Container
   - Select the needed Security Management Blades
   - Select a Security Gateway Container
   - Select the needed Security Gateway Blades
   - Select the needed Security Gateway Service Blades

- Later on, all licenses can be found in your Check Point UserCenter Account. At least a basic support (e.g. CES Standard) is required, leading to additional yearly cost.   

2.1 Management

For each installation of Check Point products, a management component is mandatory. 

Security Management Software Pre-defined Systems

SM1003
Check Point Security Management pre-defined system including container and 3 blades: NPM, EPM, LOGS
Management for up to 10 gateways

SM1007
Check Point Security Management pre-defined system including container and 7 blades: NPM, EPM, LOGS, MNTR, EVIN, PRVS, UDIR
Management for up to 10 gateways

SM2506
Check Point Security Management pre-defined system including container and 6 blades: NPM, EPM, LOGS, MNTR, EVIN, PRVS 
Management for up to 25 gateways

SMU003
Check Point Security Management pre-defined system including container and 3 blades: NPM, EPM, LOGS
Management for an unlimited number of gateways

SMU007
Check Point Security Management pre-defined system including container and 7 blades: NPM, EPM, LOGS, MNTR, EVIN, PRVS, UDIR
Management for an unlimited number of gateways

SM1003E
Check Point Endpoint Security Management pre-defined system including container and 3 blades: EPM, LOGS, UDIR
Management for up to 1000 managed Endpoints

SM2503E
Check Point Endpoint Security Management pre-defined system including container and 3 blades: EPM, LOGS, UDIR
Management for up to 2500 managed Endpoints

SMU003E
Check Point Endpoint Security Management pre-defined system including container and 3 blades: EPM, LOGS, UDIR
Management for an unlimited number of managed Endpoints

back to Product sub-familiy

 

Security Management Container

SM1000
Check Point Security Management Container for up to 10 gateways and 1000 managed Endpoints

SM2500
Check Point Security Management Container for up to 25 gateways and 2500 managed Endpoints

SMU000
Check Point Security Management Container for an unlimited number or gateways and managed Endpoints 

SM500 (optional, additional)
Check Point Security Management Container Expansion for additional 5 managed gateways

back to Product sub-familiy

 

Security Management Blades

NPM
Check Point Network Policy Management blade
offers security policy management for Check Point gateways via SmartDashboard

EPM
Check Point Endpoint Policy Management blade
offers central security policies for endpoint devices (ex Integrity)

LOGS
Check Point Logging & Status blade
offers central logging and visualized changes and activities 

MNTR
Check Point Monitoring blade
offers monitoring of network and security performance (ex SmartView Monitor)

PRVS
Check Point Provisioning blade (ex SmartLSM)
offers central administration and provisioning of security gateways and UTM-1 Edge

MPTL
Check Point Management Portal blade
offers access to the management using a web browser (ex SmartPortal)

UDIR
Check Point User Directory blade
offers authenticating users via LDAP-bases user information stores, e.g. MS Active Directory (ex SmartDirectory)

EVIN
Check Point SmartEvent Intro blade
offers forensic analysis and reporting for a single Check Point Security Blade (e.g. IPS)

EVNT
Check Point SmartEvent blade
offers forensic analysis and reporting for Check Point and 3rd party devices (ex Eventia Analyzer)

RPRT
Check Point SmartReporter blade
offers graphical and easy to understand reports based on logs (ex Eventia Reporter)

WF
Check Point SmartWorkflow blade
offers Security Policy Change Management and comparison of rule bases

GBLP
Check Point Global Policy blade
offers the use of Global Policies within Multi Domain Management (Provider-1)

DMN
Check Point Security Domain blade
offers the management of additional Virtual Security Management Domains (ex CMA, Provider-1)

back to Product sub-familiy

2.2 Gateway

As a matter of principle, the Security Gateway Blade "Firewall" (FW) is always included.  

Security Gateway Pre-defined Systems

SG103, container for 1 core hardware, 
includes 3 blades: FW, VPN, IPS
limited to 50 users and recommended up to 8 ports

SG108, container for 1 core hardware, 
includes 8 blades: FW, IA, VPN, IPS, ASPM, URLF, AV, APCL
limited to 50 users and recommended up to 8 ports

SG203, container for 2 core hardware, 
includes 3 blades: FW, VPN, IPS
limited to 500 users and recommended up to 12 ports

SG205i, container for 2 core hardware, 
includes 5 blades: FW, IA, VPN, IPS, APCL
limited to 500 users and recommended up to 12 ports

SG207i, container for 2 core hardware, 
includes 7 blades: FW, IA, VPN, ADN, ACCL, IPS, APCL
limited to 500 users and recommended up to 12 ports

SG209, container for 2 core hardware, 
includes 9 blades: FW, IA, VPN, ACCL, IPS, ASPM, URLF, AV, APCL
limited to 500 users and recommended up to 12 ports

SG407i, container for 4 core hardware, 
includes 7 blades: FW, IA, VPN, ADN, ACCL, IPS, APCL
unlimited users, recommended up to 16 ports

SG409, container for 4 core hardware, 
includes 9 blades: FW, IA, VPN, ACCL, IPS, ASPM, URLF, AV, APCL
unlimited users, recommended up to 16 ports

SG807, container for 8 core hardware, 
includes 7 blades: FW, IA, VPN, ADN, ACCL, IPS, APCL
unlimited users

SG1207, container for 12 core hardware on Open Servers, 
includes 7 blades: FW, IA, VPN, ADN, ACCL, IPS, APCL
unlimited users

back to Product sub-familiy

 

Security Gateway Containers

SG101
Check Point SG101, container for 1 core hardware, includes 1 blade (FW), limited to 50 users, recommended up to 8 ports

SG201
Check Point SG201, container for 2 core hardware, includes 1 blade (FW), limited to 500 users, recommended up to 12 ports

SG401
Check Point SG401, container for 4 core hardware, includes 1 blade  (FW), unlimited users, recommended up to 16 ports

SG801
Check Point SG801, container for 8 core hardware, includes 1 blade  (FW), unlimited users, recommended up to 20 ports

SG801
Check Point SG1201, container for 12 core hardware, includes 1 blade  (FW), unlimited users, recommended up to 20 ports

back to Product sub-familiy

 

Security Gateway Blades

CPSB-FW - Firewall
Check Point Firewall blade, always included
offers the well known FireWall-1 capabilities 

CPSB-IA - Identity Awareness
Check Point Identity Awarness blade
offers security per user and machine across the Firewall 

CPSB-VPN - IPsec VPN
Check Point IPSEC VPN blade
offers Site-to-Site VPN and Remote Access using IPSec

CPSB-MOB - Mobile Access
Check Point Mobile Access Blade
offers remote access (ex-Connectra and/or SSL VPN)

CPSB-ADN - Advanced Networking
Check Point Advanced Networking blade
offers dynamic routing, multicast support and Quality of Service (QoS) to security gateways

CPSB-ACCL - Acceleration and Clustering
Check Point Acceleration & Clustering blade
offers SecureXL and ClusterXL LS to security gateways

CPSB-WS - Web Security
Check Point Web Secuerity blade
offers advanced protection for web servers, e.g. against buffer overflows or information disclosure

CPSB-VOIP - Voice over IP 
Check Point Voice over IP blade
offers improvements for more than 60 VoIP applications
(VoIP Software Blade is currently available on NGX R65 only)

back to Product sub-familiy

 

Security Gateway Servivce Blades
Prices mostly depend on size/class of the Security Gateway

CPSB-APCL - Application Control 
Check Point Application Control blade (R75 and above)
offers visibility and control of Internet applications usage, updates included

CPSB-DLP - Data Loss Prevention
Check Point Data Loss Prevention blade (R71 and above)
offers DLP, to be licensed per number of users and mail as well as throughput

CPSB-IPS-S1 - Intrusion Prevention
Check Pont IPS blade for small business (see below)
offers the integrated Intrusion Prevention System, updates included
Version for UTM-1 130, UTM-1 270, UTM-1 570, and SG101/C101

CPSB-IPS - Intrusion Prevention
Check Point IPS blade
offers the integrated Intrusion Prevention System, updates included
Version for all other gateway systems/licenses

CPSB-URLF - URL Filtering
Check Point URL Filtering blade
offers URL filtering of many million sites, updates included

CPSB-AV - Anti-Virus & Anti-Malware
Check Point Anti-Virus & Anti-Malware blade
offers Anti-Virus protection inluding heuristic virus analyses, updates included

CPSB-ASPM - Anti-Spam & Email Security
Check Point Anti-Spam and E-Mail Security blade
offers multi-dimensional protection for the messaging infrastrucure, updates included

CPSB-WBCL - Web Control Package
Check Point Web Control Software Package
including Application Control and URL Filtering blades, updates included

CPSB-TS - Total Security Blades Package
Check Point Total Security Package
offers a package of all service blades (IPS, URLF, AV, ASPM)
Version for all other gateway systems/licenses


back to Product sub-familiy

2.3 Management and Gateway Bundles

SM203/SG103
Management of 2 gateways and 3 blades (SM203)
Gateway with 1 core, 50 users and 3 blades (SG103) 

SM303/SG103
Management of 3 gateways and 3 blades (SM303)
Gateway with 1 core, 50 users and 3 blades (SG103) 

SM303/SG203
Management of 3 gateways and 3 blades (SM303)
Gateway with 2 cores, 500 users and 3 blades (SG203) 

SM1003/SG203
Management of 10 gateways and 3 blades (SM1003)
Gateway with 2 cores, 500 users and 3 blades (SG203) 

SM1003/SG407i
Management of 10 gateways and 3 blades (SM1003)
Gateway with 4 cores, unlimited users and 7 blades (SG407i) 

SM2506/SG407i
Management of 25 gateways and 6 blades (SM2506)
Gateway with 4 cores, unlimited users and 7 blades (SG407i) 

SMU003/SG407i
Management of unlimited gateways and 3 blades (SMU003)
Gateway with 4 cores, unlimited users and 7 blades (SG407i) 

SMU007/SG807
Management of unlimited gateways and 7 blades (SMU007)
Gateway with 8 cores, unlimited users and 7 blades (SG807) 

back to Product sub-familiy

 

 

No warranty at all, your Feedback is welcome!
© 2003-2011 AERAsec Network Services and Security GmbH, last change 2011-08-11
back to http://www.vpn-1.de/aerasec